Amendments to the Specification 

Please amend the specification as follows: 
Paragraph 0027: 

- FIG. 3 is a block diagram illustrating exemplary modules of claims engine 116 
(FIG. 1), according to one embodiment. In this embodiment, claims engine 1 16 includes 
authentication (Auth-N) modules 302i-302 L , authorization (Auth-Z) modules 3 06 1 -3 06m, 
and an access control module 308. In one embodiment, Auth-N modules 302i-302 L 
perform authentication operations (e.g., validates token(s) and/or trusts of token issuer(s)) 
for "L" different authentication mechanisms. For example, Auth-N modules 302] - 302l 
can perform such authentication operations for: (1) X.509 tokens; (2) K e rb e ros tokens 
KKRBKROS <M tokens ("security services application programming interface) : and (3) 
Username/Password tokens; as well as other tokens. In addition, in this embodiment, 
Auth-N modules extract claim(s) from tokens as described above in conjunction with 
block 202 (FIG. 2). 

Paragraph 0028: 

- Auth-Z modules 306i-306 M , in one embodiment, perform claim mapping 
operations such as, for example, mapping extracted claims to other claims for "M" 
different mappings. For example, Auth-Z modules 302i-302 L can perform claim mapping 
operations to: (1) identify claims; (2) group membership claims (e.g., as defined in 
Windows S e rver 2003 WINDOWS SERVER 2003™ Authorization Manager); and (3) 
role claims; as well as other types of claims. In one embodiment, Auth-Z 
modules 306i-306m map claims to other claims as described above in conjunction with 
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block 204 (FIG. 2). In addition, Auth-Z modules 306i-306 M , can map claims on a per 
resource basis. For example (continuing the above Internet purchase example), one of the 
Auth-Z modules can map the aforementioned employee's identity claim (John Doe) to the 
role claim (purchaser) for a resource (shopping cart: John Doe). - 
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